1. Technical Field
The present invention relates to information processing devices for securely booting stored programs, and more particularly to technology for maintaining a secure state even when a program requires updating.
2. Background Art
In recent years, terminal devices such as cellular phones have started to perform a secure boot to ensure a secure platform. After the terminal device has started to boot up, a hash value is calculated for each program, such as the OS, applications, etc., upon booting of the program. Integrity of the device is verified based on whether the calculated values, or a cumulative value thereof, is the expected value (see Non-Patent Literature 1-5). In the context of such a secure boot, a specific program that is being booted may use specific data. One such case is when program B in a terminal device is encrypted, and after program A (the specific program) boots, a decryption key (the specific data) is used to decrypt program B. Program B then boots. In this case, it is necessary to restrict the decryption key so that it can only be used by program A, and only when the platform is secure immediately before program A boots.
Patent Literature 1 discloses one form of technology for a specific program to securely handle specific data during a secure boot, namely to protect secure data as “sealed data” by using the seal function of the Trusted Platform Module (TPM) detailed by the Trusted Computing Group (TCG) and securely use the data during a secure boot by unsealing the sealed data in accordance with a condition for unsealing. In Patent Literature 1, a terminal device performs the seal function by protecting (hereinafter, “sealing”) target data via encryption with the public key of a key pair in a public key encryption system, the public key being managed in the TPM. In this case, the target data for protection is the decryption key for decrypting an encrypted program B, and the condition for unsealing is that the hash value of program A be the expected values that should be stored in extended Platform Configuration Registers (PCRs). Hereinafter, these expected values are referred to as PCR expected values. The terminal device unseals the sealed data by issuing a decryption request for the sealed data and then outputting, within the TPM, decrypted plaintext of the target data for protection only when the PCR value stored in the TPM at the time of decryption matches the PCR expected value set as the condition for unsealing. In this way, through use of the condition for unsealing, acquisition of plaintext data of protected data is limited to when a predetermined program has properly booted. Conversely, when the terminal device is in an improper state, such as when the program has been tampered with, plaintext data cannot be extracted from the target data for protection in the sealed data, and the secure boot fails.